When a recently-fired IT employee couldn’t get his former employer, McLane Advanced Technologies, to help with his unemployment claim, he allegedly decided to get even. And to be comfortable while exacting revenge, David Palmer reportedly headed to a sports bar, as well as spending time at home and at another establishment. It might not be what he was taught while working for his information systems degree, but, hey, whatever works, right?
While sipping drinks and watching the scenery, he broke into McLane’s IT systems, which ran a time clock system for customers and erased the payroll files for one of the company’s clients. The next day, that customer couldn’t get into any of its payroll records. With all the focus on hacking groups like Anonymous, it can be easy to forget that many IT security breaches are internal, either the result of action by current or former employees (Palmer created a back-door account to use for the attacks).
According to the Verizon 2011 Data Breach Investigations Report, the percentage of attacks from outsiders seems to have grown, but probably only because small external attacks had skyrocketed, while internal attacks stayed steady. The internal threats encompass a variety of problems. Not all the potential problems are intentional.
For some reason, the IT department may not have installed the proper system and security software upgrades for everyone. Someone may mistakenly open a booby-trapped email attachment or fallen prey to a social engineering technique, whereby an outsider tricks an employee into giving away important secure information. Then there are the David Palmers or even employees who will work with criminals to embezzle from or defraud their employers. In short, sloppiness, mistakes, or a case of “who will watch the watchers?” can attack from where a company’s IT infrastructure is most vulnerable. Here are some steps that companies should take to avoid a surprise in the office:
- Regular IT audits can turn up weak areas that pose potential threats (including accounts that don’t seem to belong to an employee).
- Training employees in security basics may seem like old hat, but it never goes out of style.
- Don’t be afraid to get strict, forcing employees to rigorously protect their network identities and passwords.
- Add extra identification and authentication hurdles for access to the most sensitive data.
- When someone leaves, deactivate their accounts and all resource access immediately.
- Pay closer attention to employees with high system, network, and resource privileges, periodically monitoring them — perhaps using a trusted third party so that no one in authority can arrange to remain unchecked.
More work? Yes, it is. But it’s critical and can keep at bay some of the more dangerous attacks your organization may face.